---
_id: '5625'
abstract:
- lang: eng
  text: The increasing availability and deployment of open source software in personal
    and commercial environments makes open source software highly appealing for hackers,
    and others who are interested in exploiting software vulnerabilities. This deployment
    has resulted in a debate ?full of religion? on the security of open source software
    compared to that of closed source software. However, beyond such arguments, only
    little quantitative analysis on this research issue has taken place. We discuss
    the state-of-the-art of the security debate and identify shortcomings. Based on
    these, we propose new metrics, which allows to answer the question to what extent
    the review process of open source and closed source development has helped to
    fix vulnerabilities. We illustrate the application of some of these metrics in
    a case study on OpenOffice (open source software) vs. Microsoft Office (closed
    source software).
author:
- first_name: Guido
  full_name: Schryen, Guido
  id: '72850'
  last_name: Schryen
- first_name: Rouven
  full_name: Kadura, Rouven
  last_name: Kadura
citation:
  ama: 'Schryen G, Kadura R. Open Source vs. Closed Source Software: Towards Measuring
    Security. In: <i>24th Annual ACM Symposium on Applied Computing</i>. ; 2009.'
  apa: 'Schryen, G., &#38; Kadura, R. (2009). Open Source vs. Closed Source Software:
    Towards Measuring Security. In <i>24th Annual ACM Symposium on Applied Computing</i>.'
  bibtex: '@inproceedings{Schryen_Kadura_2009, title={Open Source vs. Closed Source
    Software: Towards Measuring Security}, booktitle={24th Annual ACM Symposium on
    Applied Computing}, author={Schryen, Guido and Kadura, Rouven}, year={2009} }'
  chicago: 'Schryen, Guido, and Rouven Kadura. “Open Source vs. Closed Source Software:
    Towards Measuring Security.” In <i>24th Annual ACM Symposium on Applied Computing</i>,
    2009.'
  ieee: 'G. Schryen and R. Kadura, “Open Source vs. Closed Source Software: Towards
    Measuring Security,” in <i>24th Annual ACM Symposium on Applied Computing</i>,
    2009.'
  mla: 'Schryen, Guido, and Rouven Kadura. “Open Source vs. Closed Source Software:
    Towards Measuring Security.” <i>24th Annual ACM Symposium on Applied Computing</i>,
    2009.'
  short: 'G. Schryen, R. Kadura, in: 24th Annual ACM Symposium on Applied Computing,
    2009.'
date_created: 2018-11-14T14:12:27Z
date_updated: 2022-01-06T07:02:13Z
ddc:
- '000'
department:
- _id: '277'
extern: '1'
file:
- access_level: open_access
  content_type: application/pdf
  creator: hsiemes
  date_created: 2018-12-18T13:14:09Z
  date_updated: 2018-12-18T13:14:09Z
  file_id: '6310'
  file_name: ACM VERSION.pdf
  file_size: 456497
  relation: main_file
file_date_updated: 2018-12-18T13:14:09Z
has_accepted_license: '1'
keyword:
- Open source software
- Closed source software
- Security
- Metrics
language:
- iso: eng
oa: '1'
publication: 24th Annual ACM Symposium on Applied Computing
status: public
title: 'Open Source vs. Closed Source Software: Towards Measuring Security'
type: conference
user_id: '61579'
year: '2009'
...
---
_id: '5647'
abstract:
- lang: eng
  text: Reviewing literature on open source and closed source security reveals that
    the discussion is often determined by biased attitudes toward one of these development
    styles. The discussion specifically lacks appropriate metrics, methodology and
    hard data. This paper contributes to solving this problem by analyzing and comparing
    published vulnerabilities of eight open source software and nine closed source
    software packages, all of which are widely deployed. Thereby, it provides an extensive
    empirical analysis of vulnerabilities in terms of mean time between vulnerability
    disclosures, the development of disclosure over time, and the severity of vulnerabilities,
    and allows for validating models provided in the literature. The investigation
    reveals that (a) the mean time between vulnerability disclosures was lower for
    open source software in half of the cases, while the other cases show no differences,
    (b) in contrast to literature assumption, 14 out of 17 software packages showed
    a significant linear or piecewise linear correlation between time and the number
    of published vulnerabilities, and (c) regarding the severity of vulnerabilities,
    no significant differences were found between open source and closed source.
author:
- first_name: Guido
  full_name: Schryen, Guido
  id: '72850'
  last_name: Schryen
citation:
  ama: 'Schryen G. Security of open source and closed source software: An empirical
    comparison of published vulnerabilities. In: <i>15th Americas Conference on Information
    Systems</i>. ; 2009.'
  apa: 'Schryen, G. (2009). Security of open source and closed source software: An
    empirical comparison of published vulnerabilities. In <i>15th Americas Conference
    on Information Systems</i>.'
  bibtex: '@inproceedings{Schryen_2009, title={Security of open source and closed
    source software: An empirical comparison of published vulnerabilities}, booktitle={15th
    Americas Conference on Information Systems}, author={Schryen, Guido}, year={2009}
    }'
  chicago: 'Schryen, Guido. “Security of Open Source and Closed Source Software: An
    Empirical Comparison of Published Vulnerabilities.” In <i>15th Americas Conference
    on Information Systems</i>, 2009.'
  ieee: 'G. Schryen, “Security of open source and closed source software: An empirical
    comparison of published vulnerabilities,” in <i>15th Americas Conference on Information
    Systems</i>, 2009.'
  mla: 'Schryen, Guido. “Security of Open Source and Closed Source Software: An Empirical
    Comparison of Published Vulnerabilities.” <i>15th Americas Conference on Information
    Systems</i>, 2009.'
  short: 'G. Schryen, in: 15th Americas Conference on Information Systems, 2009.'
date_created: 2018-11-14T14:41:24Z
date_updated: 2022-01-06T07:02:19Z
ddc:
- '000'
department:
- _id: '277'
extern: '1'
file:
- access_level: open_access
  content_type: application/pdf
  creator: hsiemes
  date_created: 2018-12-18T13:16:39Z
  date_updated: 2018-12-18T13:16:39Z
  file_id: '6317'
  file_name: Security of Open Source and Closed Source Software An Empirical - AMCIS
    Version.pdf
  file_size: 483690
  relation: main_file
file_date_updated: 2018-12-18T13:16:39Z
has_accepted_license: '1'
keyword:
- Vulnerabilities
- security
- open source software
- closed source software
- empirical comparison
language:
- iso: eng
oa: '1'
publication: 15th Americas Conference on Information Systems
status: public
title: 'Security of open source and closed source software: An empirical comparison
  of published vulnerabilities'
type: conference
user_id: '61579'
year: '2009'
...